Rootkit?... then BSOD

Hi,
A bit of history first. PC apparently had a virus, we took it to PC retailer who ‘cleaned it’ and reinstalled Vista. Subsequntly had major issues with it and several trips later they gave up and gave our money back. Friend advised we run GMER and it found TDL4@MBR rootkit. Downloaded and ran ASWMBR scan which found the rootkit. Ran it again with Fix and rootkit removed. Rebooted and reran Scan
Unfortunately now when we restart the PC we get the BSOD and can only run it in Safe Mode. Have run MBAM but this comes up clean.

Any advice on how to proceed would be appreciated.

Thanks

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Thank you for the quick response. I downloaded OTS and entered settings and Custom Scan details. Ran the Scan but when it finished it was unable to write to Notepad. Message displayed was “The System Cannot Find The Path Specified”. I am running between machines with a memory stick but I believe everything was entered correctly. Anything else I can do/check?
Thanks.

Just noticed my original post didn’t include anything in the attachments. Will try again.

[list]I see that you repaired the TDL4 using aswMBR

Download RogueKiller to your desktop

[]Quit all running programs
[
]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[
]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Ran Roguekiller as requested and log attached.
Thanks.

Run rogueKiller again please and this time use Option 2

Then retry OTS

Ran Roguekiller again and then OTS. Logs attached.
Thanks.

That does not look to bad

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {1E8A6170-7264-4D0F-BEAE-D42A53123C75} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Rebooting to normal mode and the affected logon

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hello again. Ran OTS with fix. Only output from it was the message “The system requires a reboot to finish removing files. Click Yes to reboot the system”.

I clicked yes, PC rebooted but blue screened on restart, then looped through reboot and blue screen again and again.

Starting to regret not taking out the extended warrenty!!

Are you still in safe mode ?

Rerun RogueKiller and select option 6 then reboot

Yes, I can only start the PC in Safe mode. Any other startup results in a blue screen and then a reboot.
I have attached the latest Roguekiller report.
Thanks.

All your files and folders should be back now - when the system crashes does it display an error ?

Hello. No, there are no messages of any kind. It seems to complete the startup process, apparently works for about 10 seconds, blue screens and then restarts, ad infinitum.

Thanks.

OK lets check the startups

Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.

[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO

[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.

Here’s the Silent Runners report.
Thanks.

Could you set your system not to restart on a blue screen so that we can see what driver is causing the problem

To do this follow the instructions on this page http://vistasupport.mvps.org/disable_automatic_restart_to_read_blue_screen_messages.htm

Hello essexboy,
I changed Automatic Restart setting as required and restarted the PC. It blue screened as expected but no messages were produced, instead it restarted at the “Windows Error Recovery Screen” which gave the choice of Safe or Normal restart (previously it would have automatically done a normal restart). I went for a Safe restart and then checked the Automatic Restart option. It had been reset to its original state. I unticked it, went through the process again and once more no message and the Automatic Restart option was reset.

Thanks.

This may require a repair install do you have the windows CD

Hello essexboy.
No, pc came with vista pre-installed so no cd. If I select “Repair” instead of “Safe” when it starts up there are items like Startup Repair and Backup and Recovery Utility to choose from. Any of these do the job?

Thanks.